Zimbra Multi-Server Installation on CentOS 7

Need help with Zimbra Multi-Server Installation on CentOS 7? We can help you.

Here at Bobcares, our Experienced Server Admins assist our clients with several Zimbra related queries.

Today, let us focus on how our Support Engineers perform a Zimbra Multi-Server Installation on CentOS 7.

 

Zimbra Multi-Server Installation on CentOS 7

Zimbra is the best open-source Mail collaboration suite. It can only match with Exchange and other commercial email products.

Installation of single server Zimbra is a straightforward process. However, getting a multi-server setup is a bit of a process with many moving parts.

We need to perform it in the given order:

1. Install LDAP server(s) – Multi-Master Replication (MMR) or Replication
2. Then Install Zimbra Mailbox Server(s)
3. Install MTA Server(s)
4. Finally, Install Proxy Server(s)

This setup will have the following servers:

• LDAP Servers – with Multi-Master Replication (MMR)
• Mailbox servers
• MTA Servers
• Proxy servers – with keepalived and VIP

2 each.

So the total number of servers for this setup is 7. Hostnames use the following formats:

• LDAP Servers – ldap01.domain.com & ldap02.domain.com
• Mailbox servers – mx01.domain.com & mx02.domain.com
• 2 MTA servers – mta01.domain.com & mta02.domain.com
• 2 Proxy servers – proxy01.domain.com & proxy02.domain.com. VIP on mail.domain.com

We replace domain.com with our active domain name or modify it to fit the environment.

 

Lab Environment Setup and Installation

Now we will cover how our Support Techs go about with the Zimbra Multi-Server Installation on CentOS 7

 

Step 1: Install CentOS 7 on all servers

The first step is to install CentOS 7 on all target servers and update packages to the latest release.

sudo yum -y update

 

Step 2: Install Zimbra Prerequisite packages and set hostnames

Install all packages required for Zimbra installation and set hostnames on all servers. To do this we run the command:

sudo yum -y install perl-core unzip libaio nmap-ncat sysstat openssh-clients

Then we set hostnames using the command:

$ sudo hostnamectl set-hostname <hostname>

For example,

sudo hostnamectl set-hostname ldap01.domain.com

 

Step 3: Modify /etc/hosts with the hostname and IP address

Now that we have the correct hostname set, edit the host’s file to have the IP address and hostname. We can use the Echo command for this:

sudo echo <IP Address> <Hostname> >> /etc/hosts

For example,

sudo echo 192.168.1.20 mta-01.domain.com >> /etc/hosts

We perform this on all servers.

 

Step 4: Download latest Zimbra release locally on all servers

We download Zimbra compressed package to each server and extract it to make it ready for the installation process. For this installation, let us use Zimbra 8.8.

wget https://files.zimbra.com/downloads/8.8.8_GA/zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz
tar -xvf zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz

We retain the full name of the file and directory since it helps later when doing an upgrade.

If we download the same version of Zimbra, we should have a directory named

zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/.

 

Step 5: Install Zimbra LDAP Server 1 (ldap01.domain.com)

Let us start with the first installation of Zimbra on the LDAP server. For the other LDAP server, we will configure multi-master replication for it.

# cd zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/

Then we start the installation process:

# ./install.sh

Next, we fill in information like below:

Do you agree with the terms of the software license agreement ?
Use Zimbra’s package repository
Select the packages to install
Install zimbra-ldap
Install zimbra-logger
Install zimbra-mta
Install zimbra-dnscache
Install zimbra-snmp
Install zimbra-store
Install zimbra-apache
Install zimbra-spell
Install zimbra-memcached
Install zimbra-proxy
Install zimbra-chat
Install zimbra-drive
Checking required space for zimbra-core
Installing zimbra-core zimbra-ldap zimbra-snmp
The system will be modified. Continue

The download of packages should now start. The configs are as below:

Common configuration 
Hostname: ldap01.domain.com
Ldap master host: ldap01.domain.com
Ldap port: 389
Ldap Admin password: set
Store ephemeral attributes outside: Ldap no
Secure interprocess communications: yes
TimeZone: UTC
IP Mode: ipv4
Default SSL digest: sha256

Ldap configuration 
Status: Enabled
Create Domain: yes
Domain to create: mail.domain.com
Ldap root password: set
Ldap replication password: set
Ldap postfix password: set
Ldap amavis password: set
Ldap nginx password: set
Ldap bes-searcher password: set

Double-check the setting for Ldap master host, hostname, and domain to create. Once the settings are verified, press a to start the installation and configuration process.

***CONFIGURATION COMPLETE-press ’a’ to apply
Select from menu or press ’a’ to apply config (help):
Save configuration data to a file: Yes
Save config in file /opt/zimbra/config.31786
Saving config in /opt/zimbra/config.31786…done.
The system will be modified – continue: Yes

Once the installation is complete, pull password credentials that will be required for all the next steps:

ldap_amavis_password 4Y9WzugHAz
ldap_bes_searcher_password 4Y9WzugHAz
ldap_nginx_password 4Y9WzugHAz
ldap_postfix_password 4Y9WzugHAz
ldap_replication_password 4Y9WzugHAz
ldap_root_password 4Y9WzugHAz
zimbra_ldap_password 4Y9WzugHAz

 

Step 6: Enable LDAP MMR on ldap01 server

Since we set both LDAP servers to act as masters, we need to enable it on the master server.

We enable Multi-Master replication on an existing Single node master:

root@ldap01 ~]$ su – zimbra
zimbra@ldap01 ~]$ ./libexec/zmldapenable-mmr -s 1 -m ldap://ldap-02.domain.com:389/
[zimbra@ldap-01 ~]$ ./libexec/zmldapenable-mmr -r 101 -m ldap://dap-02.domain.com:389/
[zimbra@ldap-01 ~]$ /opt/zimbra/libexec/zmldapmmrtool -q
Master Server ID: 1
Master replication agreement: 1
rid: 100 URI: ldap://ldap-02.domain.com:389/ TLS: critical
Master replication agreement: 2
rid: 101 URI: ldap://ldap-02.domain.com:389/ TLS: critical
[zimbra@ldap-01 ~]$

On Ldap Server 2, install Zimbra like the first one, but its configuration should look like below:

Common configuration
Hostname:ldap-02.domain.com
Ldapmasterhost:ldap-01.domain.com
Ldapport:389
LdapAdminpassword:set
StoreephemeralattributesoutsideLdap:no
Secureinterprocesscommunications: yes
TimeZone: UTC
IPMode:ipv4
DefaultSSLdigest:sha256

Ldap configuration
Status: Enabled
CreateDomain: yes
Domaintocreate:mail.domain.com
Ldapreplicationtype:mmr
LdapServerID:2
Ldaprootpassword: set
Ldapreplicationpassword: set
Ldappostfixpassword: set
Ldapamavispassword: set
Ldapnginxpassword: set
LdapBesSearcherpassword:set

Then we should configure the following:

EnablingLdap Admin password

Ldap replication password
Ldap replication type: mmr
All other passwords

 

Step 7: Install Zimbra Mailbox Server(s)

Firstly, we install two mailbox servers

sudo ./install.sh

The packages to install are:

Do you agree with the terms of the software license agreement ? [N ] y
Use Zimbra’s package repository [Y ] y
Select the packages to install
Install zimbra-ldap [Y ] n
Install zimbra-logger [Y ] y
Install zimbra-mta [Y ] n
Install zimbra-dnscache [N ] n
Install zimbra-snmp [Y ] y
Install zimbra-store [Y ] y
Install zimbra-apache [Y ] y
Install zimbra-spell [Y ] y
Install zimbra-memcached [Y ] n
Install zimbra-proxy [Y ] n
Install zimbra-chat [N ] n
Install zimbra-drive [N ] n
Install zimbra-imapd (BETA – for evaluation only) [N ] n
Checking required space for zimbra-core

Installing :
zimbra-core
zimbra-logger
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
zimbra-convertd
zimbra-archiving
zimbra-drive

The system will be modified. Continue ? [N ] Y

We should only install the logger on one server. We can install logger on mx-01. Configs look like below:

Common configuration
Hostname: mx01.domain.com
Ldap master host: ldap01.domain.com
Ldap port: 389
Ldap Admin password: set
LDAP Base DN: cn=zimbra
Store ephemeral attributes outside Ldap: yes
Value for zimbraEphemeralBackendURL: ldap ://default
Secure interprocess communications: yes
TimeZone: UTC
IP Mode: ipv4
Default SSL digest: sha256

Under Common configuration, we set:

• Hostname: mx01.domain.com
• Ldap master host: ldap01.domain.com
• Ldap Admin password:

Similarly, under zimbra-store, we make sure the following items are configured:

• Admin Password:
• SMTP host:
• Configure for use with mail proxy: TRUE
• Configure for use with web proxy: TRUE
• Install UI (zimbra,zimbraAdmin webapps): yes
• Install mailstore (service webapp): yes

Then we modify the settings that are necessary and start the installation process. For the other Mailbox server, we repeat the same steps but do not install the logger. It will run on mx-01.

[Is it hard? We are here to help you]

 

Step 8: Install Zimbra MTA Server(s)

Our next phase is the installation of MTA servers. The package selection should be as below:

Select the packages to install

Install zimbra-ldap [Y ] n
Install zimbra-logger [Y ] n
Install zimbra-mta [Y ] y
Install zimbra-dnscache [Y ] y
Install zimbra-snmp [Y ] y
Install zimbra-store [Y ] n
Install zimbra-apache [Y ] n
Install zimbra-spell [Y ] n
Install zimbra-memcached [Y ] n
Install zimbra-proxy [Y ] n
Install zimbra-chat [N ] n
Install zimbra-drive [N ] n

Checking required space for zimbra-core

Installing:
zimbra-core
zimbra-mta
zimbra-snmp
zimbra-dnscache

The system will be modified. Continue ? [N ] y

On the configurations window, make sure to set the following:

Under 1) Common Configuration, set:

• Hostname:
• Ldap master host:
• Ldap Admin password:

Hostname: mta01.domain.com
Ldap master host: ldap01.domain.com
Ldap port: 389
Ldap Admin password: set
LDAP Base DN: cn=zimbra
Store ephemeral attributes outside Ldap: yes
Value for zimbraEphemeralBackendURL: ldap ://default
Secure interprocess communications: yes
TimeZone: UTC
IP Mode: ipv4
Default SSL digest: sha256

Under 2) zimbra-mta, set:

• Bind password for postfix ldap user:
• Bind password for amavis ldap user:

Mta configuration

Status: Enabled
Enable Spamassassin: yes
Enable Clam AV: yes
Enable OpenDKIM: yes
Notification address for AV alerts: admin@mta01.domain.com
Bind password for postfix ldap user: set
Bind password for amavis ldap user: set

Under zimbra-dnscache, configure master DNS IP addresses separated by space:

DNS Cache configuration

1) Status: Enabled
2) Master DNS IP address(es): 8.8.4.4 1.1.1.1 8.8.8.8
3) Enable DNS lookups over TCP: yes
4) Enable DNS lookups over UDP: yes
5) Only allow TCP to communicate with Master DNS: no

Once done, save the settings and type a to begin Zimbra MTA setup.

 

Step 9: Install Zimbra Proxy Server(s)

For installation of Zimbra Proxy server(s), we select the following packages during installation:

Select the packages to install

Install zimbra-ldap [Y] n
Install zimbra-logger [Y] n
Install zimbra-mta [Y] n
Install zimbra-dnscache [N] n
Install zimbra-snmp [Y] y
Install zimbra-store [Y] n
Install zimbra-apache [Y] n
Install zimbra-spell [Y] n
Install zimbra-memcached [Y] y
Install zimbra-proxy [Y] y
Install zimbra-chat [N] n
Install zimbra-drive [N] n
Checking required space for zimbra-core

Installing:
zimbra-core
zimbra-snmp
zimbra-memcached
zimbra-proxy

The system will be modified. Continue? [N] y

Then we fill in all the required information:

Common configuration
Hostname: proxy01.domain.com
Ldap master host: ldap01.domain.com
Ldap port: 389
Ldap Admin password: set
LDAP Base DN: cn=zimbra
Store ephemeral attributes outside Ldap: yes
Value for zimbraEphemeralBackendURL: ldap://default
Secure interprocess communications: yes
TimeZone: UTC
IP Mode: ipv4
Default SSL digest: sha256

Proxy configuration
Status: Enabled
Enable POP/IMAP Proxy: TRUE
Enable strict server name enforcement? TRUE
IMAP server port: 7143
MAP server SSL port: 7993
IMAP proxy port: 143
IMAP SSL proxy port: 993
POP server port: 7110
POP server SSL port: 7995
POP proxy port: 110
POP SSL proxy port: 995
Bind password for nginx ldap user: set
Enable HTTP[S] Proxy: TRUE
Web server HTTP port: 8080
Web server HTTPS port: 8443
HTTP proxy port: 80
HTTPS proxy port: 443
Proxy server mode: redirect

For Proxy Server mode, we choose http, https, both, redirect, or mixed depending on requirements. In this case, we can use a redirect.

Once we install all Zimbra proxy servers, we enable proxy console on port 9071:

$ su – zimbra
$ /opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname`

• This will enable admin console proxy port 9071 on the proxy server.
• Make sure to configure the mailbox server’s admin console on port 7071 (default).

Then we restart the proxy service after making the changes:

$ zmproxyctl restart

The service should bind to port 9071. We confirm this with the ss command:

$ ss -tunelp | grep 9071

To access the admin console over a proxy, the URL should be https://proxy-0x.domain.com:9071/

 

Step 10: Configure Zimbra Logger Service

As mentioned earlier, our logger service will run on mailbox server 1 (mx01.domain.com). For this, we need to first install and configure rsyslog service on this server.

Uncomment the following lines on /etc/rsyslog.conf

$ModLoad imudp
$UDPServerRun 514

Similarly, we add this line after $UDPServerRun 514:

SYSLOGD_options=”-r -m 0″

Then we set up Zimbra syslog and restart rsyslog service:

$ /opt/zimbra/libexec/zmfixperms -e -v
$ /opt/zimbra/libexec/zmsyslogsetup

updateSyslog: Updating /etc/rsyslog.conf…done.
$ systemctl restart rsyslog.service
$ su – zimbra
$ /opt/zimbra/libexec/zmloggerinit

Stopping logswatch…done.
Starting logswatch…done.
$ /opt/zimbra/bin/zmupdateauthkeys

We verify the LogHostname using the commands below:

$ sudo su – zimbra
$ zmprov gacf | grep zimbraLogHostname
zimbraLogHostname: mx01.domain.com

If it is different, we change the same to Logger monitor Host using the below command:

$ zmprov mcf zimbraLogHostname <Logger monitor Hostname>

Then we configure each Zimbra server to log to the newly set logger server.

$ sudo /opt/zimbra/libexec/zmfixperms -e -v
$ sudo su – zimbra
/opt/zimbra/bin/zmupdateauthkeys ; exit

$ /opt/zimbra/libexec/zmsyslogsetup
$ sudo systemctl restart rsyslog
$ sudo su – zimbra -c “zmcontrol restart”

 

Step 11: Configure Zimbra Proxy HA with Keepalived

Since we have two Zimbra proxy servers, we need to ensure that we have HA for the proxy server.

The setup for the proxy is:

• 2 Proxy servers – proxy01.domain.com & proxy02.domain.com
• Both will serve using mail.domain.com

In a nutshell, this is how it works:

1. The Proxy Master as the VIP
2. The Proxy Master become unavailable
3. The VIP pass to the Backup server who will handle the service

We configure proxy01 as master and proxy02 as a Backup Server.

Initially, we install Keepalived on both servers:

sudo yum -y install keepalived

Then we configure Keepalived on Master Server (proxy01):

$ cat /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
script “killall -0 nginx” # check the zimbra nginx process interval 2 # every 2 seconds
weight 2 # add 2 points if OK}vrrp_instance VI_1 {
interface eth0 # interface to monitor
state MASTER # MASTER on proxy-01%2C BACKUP on proxy-02
virtual_router_id 51
priority 101 # 101 on proxy-01%2C 100 on proxy-02
virtual_ipaddress {
192.168.1.23/24
}
track_script {
chk_zimbra_nginx
}
}

Next, we configure Keepalived on Backup Server (proxy01):

$ cat /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
script “killall -0 nginx” # check the zimbra nginx process
interval 2 # every 2 seconds
weight 2 # add 2 points if OK
}

vrrp_instance VI_1 {
interface eth0 # interface to monitor
state BACKUP # MASTER on proxy-01%2C BACKUP on proxy-02
virtual_router_id 51
priority 100 # 101 on proxy-01%2C 100 on proxy-02
virtual_ipaddress {
192.168.1.23/24
}
track_script {
chk_zimbra_nginx
}
}

Enable IP forwarding and configure firewalld:

Keepalived requires IP forwarding configured and some firewall rules added for VRRP packets to come through.

To do this, first, we, enable IP forwarding:

$ echo “net.ipv4.ip_forward = 1″ >> /etc/sysctl.conf
$ sysctl -p
net.ipv4.ip_forward = 1

Then we add firewall rules on each network interface that Keepalived will control. It is to allow VRRP communication using the multicast IP address 224.0.0.18 and the VRRP protocol (112).

For example:

$ firewall-cmd –direct –permanent –add-rule ipv4 filter INPUT 0 \
–in-interface eth0 –destination 224.0.0.18 –protocol vrrp -j ACCEPT
$ firewall-cmd –direct –permanent –add-rule ipv4 filter OUTPUT 0 \
–out-interface eth0 –destination 224.0.0.18 –protocol vrrp -j ACCEPT
$ firewall-cmd –reload

We enable and start the

keepalived

service on each server:

sudo systemctl enable keepalived
sudo systemctl start keepalived

If we change the Keepalived configuration, we need to reload it:

suso systemctl reload keepalived

By killing the Nginx process on the master server, see if the Virtual IP will switch to the backup server:

$ killall nginx
$ ip add > Run on Backup server to check IP address configuration

[Confused with IP forwarding and configure firewalld? Contact us now!]

 

Step 12: Reset admin password and Access Web UI

Initially, we reset the admin password:

$ su – zimbra
$ zmprov sp admin@domain.com strongpassword

We access Web UI through direct access to proxy servers or hostname. Admin dashboard is accessible from port 9071.

Then we configure firewall rules for proxy servers using:

firewall-cmd –add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} –permanent
firewall-cmd –add-port=11211/tcp –permanent
firewall-cmd –add-port=9071/tcp –permanent
firewall-cmd –reload

To restrict access or admin interface from specific IP address, we use

firewalld

rich rules instead:

firewall-cmd –permanent –add-rich-rule=”rule family=ipv4 source address=source-ip-address/32 \
destination address=dest-ip-address/32 port port=9071 protocol=tcp accept”

Now it is ready to roll. Reset the admin password, and log in to the Admin dashboard. Start making changes and do further configurations to Zimbra installation.

[Stuck with Zimbra Multi-Server Installation on CentOS 7? We’d be happy to assist]

 

Conclusion

To conclude, the Installation of a single server in Zimbra is a straightforward process. However, getting a multi-server setup is a bit of a process. Today we saw how our Support Engineers go about with the installation.